PCI Compliance Frequently Asked Questions



Purpose

This FAQ is intended to provide a general overview about the Payment Card Industry (PCI) Data Security Standard (DSS) and its requirements for credit card payment providers. All merchants allowing payments via credit/debit cards are presumed to be compliant with the PCI DSS. Failure to maintain compliance will result in fines. 

SecureTrust PCI Compliance

For details on how to complete the Paystri PCI Compliance questionnaire, provided by SecureTrust, you can visit https://insights.paystri.com/cci-saq-guide.





Disclaimer

Card Concepts, Inc. will not be held accountable for merchants who fail to consistently remain PCI compliant. CCI ensures its business partners will have the necessary parts needed to become compliant. It is up to the operator to maintain these parts and actively arrange compliance with their processors per the PCI DSS. 

Note

If you are not finding the answer to your question or are confused about an answer, we recommend reaching out to your acquirer (merchant processor) who can assist you with the PCI SAQ. 



General Questions

What is the Payment Card Industry (PCI) Data Security Standard (DSS)?

PCI DSS is an information security standard for organizations that handle branded credit cards from the major card brands. There are 12 fundamental requirements to maintain in order to become PCI compliant. These requirements are mandated by the Payment Card Industry Security Standard Council (PCI SSC), which is discussed later in this document. These requirements are: 

  1. Install and maintain a firewall configuration to protect card holder data. 

  2. Do not use vendor-specific defaults for system passwords and other security parameters. 

  3. Protect stored cardholder data. 

  4. Encrypt transmission of cardholder data across open, public networks. 

  5. Protect all systems against malware and regularly update anti-virus software or programs. 

  6. Develop and maintain secure systems and applications. 

  7. Restrict access to cardholder data by business need to know. 

  8. Identify and authenticate access to system components. 

  9. Restrict test security systems and processes. 

  10. Track and monitor all access to network resources and cardholder data. 

  11. Regularly test security systems and processes. 

  12. Maintain a policy that addresses information security for all personnel. 

For more information about PCI DSS and its requirements, please visit PCI's official website at https://www.pcisecuritystandards.org/.

Who is the Payment Card Industry Standards Security Council (PCI SSC) & What do They do? 

There are five major credit card brands that make up the PCI SSC. They are: 

  • MasterCard

  • Visa

  • American Express

  • JCB International

  • Discover

Their mission statement aims to "enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders." 1

How do the PCI DSS requirements affect CCIs business partners? 

CCI routinely updates its information security devices (e.g. LaundryCard Router Firewall, Satellite Access Point) and their peripheral devices to meet and uphold the requirements laid out by the PCI DSS. We also maintain close relationships with our integrated gateway and merchant payment processors who are also mandated to meet the requirements laid out by the PCI DSS. 

As a customer of CCI you are expected to uphold and maintain the devices provided from CCI that stand by the requirements listed. Failure to maintain and use these mandated devices will result in lack of support for credit card payments, loss of customer trust, and a drop in sales. In addition, the PCI SSC has been known to establish fines of up to $500,000 for security breaches when merchants are not PCI compliant. 2

What does it take to become PCI compliant as a business owner? 

There are a multitude of detailed requirements and items for business owners to take when offering their clientele the option to "pay-with-plastic". Small-to-medium sized businesses are classified as "Level 4 Merchants". This means that to satisfy the requirements of the PCI DSS, your business must complete the following steps: 

  1. Determine which Self-Assessment Questionnaire (SAQ) your business should use to validate compliance. 

  2. Complete the SAQ according to the instructions it contains.

  3. Complete and obtain evidence of passing a vulnerability scan with a PCI DSS Approved Scanning Vendor (ASV). 

  4. Complete the relevant Attestation of Compliance (AoC) in its entirety. 

  5. Submit the SAQ, evidence of a passing scan, and the AoC, along with any other requested documentation, to your acquirer (merchant processor).

What is your product name?

Depending on your acquirer and ASV provider, the answer to this question may not be the current system you are using, i.e. LaundryCard, FasCard, or FLEX. The questionnaire may provide you with a list of generic options that may include: 

  • Wash Card

  • Laundry Services

  • Wash Dry Fold (do not mistake this for the POS provider)

Any of those above options will suffice. 

Do you have any additional payment systems?

If you have a POS or ATM that is managed on the same network as the CCI provided payment system, then your answer is yes

If you have multiple routers and/or Internet connections to manage all payment systems separately, then your answer is no

Besides your POS system, are there any other devices on your network?

The answers to this question may vary, depending on your business requirements. Examples of other devices may include: 

  • Camera system. 

  • ATM.

  • Third-party POS system. 

  • Smart TVs. 

  • Desktops/Laptops. 

  • Mobile devices (e.g. tablets, smartphones).

If you answered yes to this question, then you will need to continue with the follow up question below.

Are these devices isolated from your POS network? 

For LaundryCard, the answer depends on your network. If the firewall device is connected to the same router/modem as your camera system, for example, then it is not isolated. If you have a separate Internet connection for your camera system, then it is isolated. Other examples of isolation may include a separate WiFi network for customers, Internet for office use only, ATM network requirements, and others. 

For FasCard, the answer is yes. Other devices cannot connect to the Satellite. 

What industry are you a part of?

All laundromat/laundry servicing business are considered part of the Retail industry. 

Does your company share cardholder data with third-party providers?

This should not be the case, unless you have chosen otherwise. CCI does not share this information to third-party companies. 

Does your company have a relationship with more than one acquirer?

If you are exclusively offering laundry services, then your answer is no

If your business includes other goods and services, for example a car wash or gas station, then you will likely have multiple acquirers (merchant processors). 

How does your business store cardholder data?

Through encrypted historically reported data that only contains the name, last four digits of a customers card number, and their respective transaction details provided by the gateway processor. 

Briefly describe the environment covered by this assessment.

The answer depends on your business structure and the system you use with CCI.

For example, our FasCard/FLEX owners might heavily utilize the FasCard App and incentivize their customers to do the same. Whereas our LaundryCard customers are specifically tied to a kiosk type machine to transact accordingly. Your answer can be as specific and descriptive as you'd like or it can be a generic response that you may find searching through the Internet. 

What is your Merchant ID on file?

Please contact your gateway processor for this information. 

Who is your qualified integrator or reseller?

To locate this information, please follow these steps based on your current system:

LaundryCard Version 9

LaundryCard Version 8 & Prior

FasCard/Flex

LaundryCard Version 9

LaundryCard Version 8 & Prior

FasCard/Flex

  1. Access your Manager Options either remotely or via your Manager Card.

  2. Select System Setup

  3. Then select General Info

  4. View the section titled Credit Card Settings.

  5. In the Service Type field, you will see the name of your integrator.

  1. Access your Manager Options either remotely or via your Manager Card.

  2. Select Manager.

  3. Then select General Info

  4. View the section titled Credit Card Settings.

  5. In the Service Type field, you will see the name of your integrator.

  1. Log into the Admin site.

  2. Select the System tab. 

  3. Select the System Maintenance sub-tab.

  4. At the bottom of the page you will see Service Type, this assigned field is your integrator.

Examples will include: 

  • AuthorizeNet

  • WorldNet

  • Datacap

  • Pineapple

What other third-party payment systems manage your POS, if any?

This should not be applicable to your business, unless you have chosen otherwise. 

Do you protect your POS from the internet and untrusted networks?

Yes, CCI will always provide our business partners the devices they need to keep their POS networks secured. If these devices are not maintained correctly, your network will be at risk. 

Is there a firewall in place?

Yes, there should always be a CCI provided firewall device in place and is actively working. Failure to maintain the firewall can result in a security breach. 

Do you have POS devices connected to your network wirelessly?

No, all devices will be hardwired for their respective network.

In the case of FasCard/FLEX systems, the readers connect to their Satellite Access Point (SAP) wirelessly, but is still considered a hardwired network because of how the SAP connects to the Internet. 

Are your wireless devices and Wireless Access Points secured as follows:

  • Are the default settings changed? 

  • Is the wireless access point configured to use encryption? 

  • Have the encryption keys been changed from defaults and changed when employees who know them leave the company? 

The answer to the above questions is yes

  • Do you use wireless devices anywhere else in your business? 

This answer to this question is dependent on your business needs, which may include a third-party POS system or other devices. 

Do you have a list of wireless access points along with authorization for these devices for business purposes?

If you have not completed this step, we recommend you do so. 

Do you have a process for network isolation?

Yes. CCI ensures the installation process keeps your network isolated. However, if your ASV provider locates unnecessary external devices, they will fault you and may lead to a fine from the PCI DSS.

To ensure the network is isolated, only have the necessary devices connected to the CCI provided network devices. This includes an Internet modem or router, appropriate network switches/hubs, and third-party POS systems that have been authorized to work with your system. 

Do you check your business' network for unauthorized wireless access data?

This is dependent on your business needs. CCI will not be able to maintain a record for your business network. 

Is strong encryption always used to transmit data?

Yes, CCI routinely updates their network devices to maintain a modernized level of security as mandated by the PCI DSS, among other business requirements. 

Is your strong encryption configured in according with vendor recommendations and best practices?

Yes, CCI is always maintaining and standardizing our best practices and recommendations for such matters. The PCI DSS requires CCI to do so. 

When your business adds new computers/POS equipment, do you update the default passwords?

Yes, as it is an integral part of any new IT and password secured devices. 

Do you have knowledgeable personnel that have an understanding of configuration and solid configuration standards for the POS?

Yes, that would be CCI Technical Support, always gladly here to assist you.

Are these configuration standards kept up to date and applied whenever new POS systems are installed for your business?

Yes, because CCI continuously updates and fixes any issues found from our customer interactions. 

Do your configuration standards ensure that only one primary function is implemented for your server and virtual server in your environment?

Yes, as multiple changes to primary functions may cause severe issues. Therefore, they are released in increments over a short period of time. 

Do you or your reseller ensure that all POS equipment is securely configured?

Yes, as previously stated, CCI consistently updates and fixes current issues and flaws with all equipment. 

Does your POS system only run software meant for your business?

Yes, if you are exclusively using only CCI-provided equipment. This excludes third-party components purchased outside of CCI's recommendations. 

Any third-party integrations or POS systems are out of the scope of this FAQ and will have to be determined by you. 

Are documented procedures followed in accordance with what's recommended?

Yes, CCI regularly maintains and updates their documentation based on industry standards in the field. 

Do the computers running the POS software run Microsoft Windows or Apple OS X? 

All CCI-provided computers will run Microsoft Windows

Do the computers running the POS software use Anti-Virus (AV) software? 

No, Windows Defender on CCI LaundryCard systems is disabled. The computers should not be used for any other means besides LaundryCard.

Do the computers running the POS software have Anti-Virus (AV) always active? 

No, Windows Defender on CCI LaundryCard systems is disabled. The computers should not be used for any other means besides LaundryCard.

Do the computers running the POS software log Anti-Virus (AV) activity? 

No, Windows Defender on CCI LaundryCard systems is disabled. The computers should not be used for any other means besides LaundryCard.

Do the computers running the POS software do periodic FIM checks and alerts? 

No, the CCI LaundryCard system does not do periodic checks or alerts for file integrity monitoring, but CCI does use file integrity monitoring.

Do all your computers within the POS environment use file integrity monitoring and similar tools to detect when important files are tampered with?

Yes, as it assists CCI's tech support in resolving issues that relate to file corruption and data loss. 

Do any third-party's manage or service any of your POS equipment?

Yes, because we do request that our business partners reach out to their distributors for assistance regarding certain matters. 

Do you manage or service any of your POS equipment remotely over the internet?

Yes, CCI provides their business partners the tools necessary to remotely and actively fix their own issues.

Are secure techniques used to safeguard all remote management? 

Yes, modern VPN technologies and remote access tools are consistently updated by their respective providers and utilized by CCI. 

Do you have processes to check for vendor supplied security patches for your computers and POS equipment? 

This should be the case when you contact CCI Technical Support. We recommend updating and patching your equipment at all times. 

Do you have a process for identifying security vulnerabilities, including information from outside sources? 

Yes, CCI does keep track of any security vulnerabilities to their provided hardware. Any third-party devices will have to be identified by you. 

Do logs contain key information about security activities? 

Yes, the devices provided will log any and all pieces of information regardless of its nature. 

Do you review logs as well as security related logs daily and periodically? 

This is dependent on your business needs. CCI will periodically check logs for specific issues and vulnerabilities that are brought to our attention.

Are these logs retained for at least one year and can be examined? 

Yes, these long-term logs are accessible at any given time. CCI Technical Support will gladly assist you in locating them when necessary. 

Does your business receive any paper documents with full credit card numbers? 

This should not be the case, unless you have chosen otherwise. Receipts printed for customers will only contain the last four digits of their credit card numbers. 

Is access to your payment equipment limited to employees who require it? 

No, because customers will interact and use the payment equipment (readers, bezels) at your business. 

Do you maintain a list of payment equipment as follows: 

  • Card readers. 

  • Device make and model. 

  • List of kept up-to-date devices. 

This is dependent on your business requirement. The answer should be yes, as we would like for you to maintain and record your equipment to the best of your ability.

Do you train employees often to check for tampering? 

This should be the case, unless you have chosen otherwise. 

For more information about what a tampered device may look like and what to look out for, please contact CCI Technical Support. 

Do you restrict access to publicly accessible network jacks? 

This is dependent on your stores layout. Some network jacks may be removed entirely or hidden behind equipment. 

Do you have written security policies and procedures to address the protection of papers with credit card numbers, such as receipts? 

This is dependent on your business and customer requirements. Customers may ask you for a paper receipt regarding their transactions, especially when an error occurs. 

Do you review and modify your security policy at least once a year? 

This is up to the owner and applicable parties. Some businesses may not have a security policy in place and will follow different security practices. 

In the event of compromised customer credit card numbers, do you have a formal plan on how to respond including notifications? 

You will have to reach out to your acquirer (merchant processor) in case of a breach. Please contact CCI if a breach were to occur, however, CCI will not be able to assist you if your business was breached. 

For any CCI-specific outages or issues, please view https://cci.statuspage.io/ for the latest information. 

Do you have a policy forbidding employees from sending full credit card numbers over email or other insecure messaging technologies? 

This is dependent on your business requirements. CCI does not store this information. 

Are there any third-party companies with whom you share credit card data?

This is dependent on your business requirements and if you have any external agreements in place. 

Do you protect your POS equipment from threats generating from untrusted networks? 

Yes, the CCI provided firewalls will prevent any external networks from connecting. This will always hold true as long as no external devices are connected to the CCI-provided firewalls. 

LaundryCard Specific Questions

Do your computers automatically log computer activities? 

Yes, CCI-provided computers do keep a track of all computer-related activities. This includes third-party computers that were integrated with CCIs systems. 

What 'Processing Method' does LaundryCard use?

We use what is called a 'Payment Application' as many PCI forms will call what we do.

What version are you currently using? 

Please follow these steps to determine your current version:

Version 9

Version 8

Version 9

Version 8

  1. Access your Manager Options either remotely or via your Manager Card.

  2. Select Maintenance

  3. Then select Store Status

  4. View the section titled System Status, towards the top of the page. 

  5. You will then need to locate LaundryCard Version: 9.X.X. This will be the applicable version.

  1. Access your Manager Options either remotely or via your Manager Card. 

  2. Select Store Status

  3. View the section titled System Status, towards the top of the page. 

  4. You will then need to locate LaundryCard Version: 8.X.X. This will be the applicable version.



FasCard Specific Questions

How many locations are using this payment system?

If your account contains two or more locations, then you must enter in the quantity of locations managed by the individual account. This does not include other accounts that you may own with a different store ID.

If you do have multiple locations for one account, please continue with the follow up question below.

Are these locations that accept credit cards connected to each other?

No, all locations are not able to connect to each other, even if they are in close proximity, such as an apartment building. 

What 'Processing Method' does FasCard use?

We use what is called a 'Payment Application' as many PCI forms will call what we do.

What version are you currently using? 

For FasCard/FLEX, please log into the Admin site, and view the bottom of the screen for the current version. Such as the example below.

Footnote

  1. PCI SSC mission statement <https://www.pcisecuritystandards.org/about_us/

  2. PCI DSS penalties <https://financial.ucsc.edu/pages/security_penalties.aspx>